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Abstract 

Just as actions can have indirect effects on die state of the 
world, so too can sensing actions have indirect effects on 
an agent's state of knowledge. In this paper, we investigate 
“what sensing actions tell us", i.e., what an agent comes to 
know indirectly from the outcome of a sensing action, given 
knowledge of its actions and state constraints that hold in the 
world. To this end, we propose a formalization of the no- 
tion of testing within a dialect of the situation calculus that 
includes knowledge and sensing actions. Realizing this for- 
malization requires addressing the ramification problem for 
sensing actions. We formalize simple tests as sensing ac- 
tions. Complex tests are expressed in the logic programming 
language Golog. We examine what it means to perform a 
test, and how the outcome of a test afreets an agent's state of 
knowledge. Finally, we propose automated reasoning tech- 
niques for test generation and complex-test verification, un- 
der certain restrictions. The work presented in this paper is 
relevant to a number of application domains including diag- 
nostic problem solving, natural language understanding, plan 
recognition, and active vision. 


Introduction 

Agents equipped with perceptual capabilities must operate 
in a world that is only partially observable. To determine 
properties of die world that are not directly observable, an 
agent must use its knowledge of the relationship between 
objects in die world, and its limited perceptual capabili- 
ties to infer such unobservable properties. For example, if 
an agent performs a sense action and observes that there is 
steam coming out of an electric kettle, then the direct effect 
of that sensing action is that the agent knows there is steam 
coming out of die ketde. With appropriate knowledge of the 
functioning of kettles, the agent should also know that the 
electrical outiet has power, that the kettle is functioning, and 
that there is hot liquid inside the kettle - all as indirect ef- 
fects of the sensing action. Similarly, if die agent wishes to 
know whether there is power at an electrical outiet, but can- 
not directly sense this property of the world, die agent may 
potentially acquire this knowledge by attempting to boil wa- 
ter in a ketde plugged into this outlet. 
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Such a sequence of actions constitutes a test. If steam is 
observed, then the agent knows that there is power at the out- 
let; however if steam is not observed, the agent may or may 
not know that there is no power at the electrical outiet. The 
knowledge the agent acquires from the test will depend on 
whether the agent knows that the ketde is functioning. Thus, 
this particular test is only guaranteed to provide knowledge 
about the existence of power at the electrical oudet under 
one test outcome. 

While researchers have extended theories of action to 
include the notion of sensing or knowledge-producing ac- 
tions (e.g., (Scherl Sc Levesque 1993; Baral Sc Tran 1998; 
Golden Sc Weld 1996; Funge 1998)) and have charac- 
terized the effect of sensing actions on an agent's state 
of knowledge, and even how to plan (e.g., (Stone 1998; 
Golden & Weld 1996)) and to project (e.g., (De Giacomo 
St Levesque 1999b)) in certain cases, with sensing actions, 
they have not addressed the problem of how to reason in 
a partially observable environment 1 . More generally, they 
have not examined the problem of how sensing actions 
can be coupled with knowledge of the relationship between 
objects in the world to gain further knowledge, and how 
both sensing actions, and world-altering actions change an 
agents state of knowledge in the presence of such world 
knowledge. Further, they have not examined the problem 
of how to select sensing actions to acquire knowledge of 
some property of the world that is not directly observable. 
Perhaps die closest research is that of (Shanahan 1996b; 
1996a) who investigates the assimilation of sensing results 
for a mobile robot in a framework based on the event cal- 
culus, (Mcllraith 1997) who assimilates observations into 
situation calculus device models to perform dynamical di- 
agnosis, or (Baral, McDraith, & Tran 2000) who do likewise 
in the language C. 

In this paper, we examine these issues in a dialect of the 
situation calculus that has been extended with knowledge- 
producing actions 2 (Scherl Sc Levesque 1993), but which 
does not include state constraints. Following (Mcllraith 
2000), we add state constraints to this language in order to 


1 Partially-Observable Markov Decision Processes (POMDPs) 
address this class of problems within a different formalism, but 
they do not address the testing issues we examine here. 

2 Henceforth referred to simply as sensing actions. 



model the relationship between objects in the world, adopt- 
ing the associated solution to the ramification problem for 
world-altering actions. We show that this solution extends 
to solve the ramification problem in the presence of sens- 
ing actions. Next, we define the notion of a test — how to 
design them and what knowledge can be drawn from their 
outcomes. In the formalization, simple tests comprise a set 
of initial conditions and a primitive sensing action. Complex 
tests are expressed as complex actions in the logic program- 
ming language Golog. We examine what it means to per- 
form a test, and how the outcome of a test affects an agent’s 
state of knowledge. Additionally, we examine the issue of 
selecting tests to confirm, refute, or discriminate a space of 
hypotheses. 

Finally, we investigate the automation of reasoning about 
tests. We show that regression may be used to verify ob- 
jective achievement for complex tests written in a subset of 
Golog. Further restrictions on the form of die complex tests 
allows die same regression operators to serve as the basis 
for a simple regression-style planner that generates tests to 
increase an agent’s knowledge with respect to a space of hy- 
potheses. 

Situation Calculus 

The situation calculus language we use, following (Reiter 
2000), is a first-order language for representing dynamically 
changing worlds in which all of the changes are the direct 
result of named actions performed by some agent, or the in- 
direct result of state constraints. Situations are sequences 
of actions, evolving horn an initial distinguished situation, 
designated by the constant So- If a is an action and s a sit- 
uation, the result of performing a in s is the situation rep- 
resented by the function do(a , s). Functions and relations 
whose truth values vary from situation to situation, called 
fluents , are denoted by a predicate symbol taking a situation 
term as the last argument. Note that for the purposes of this 
paper, we assume that our theory contains no functional flu- 
ents. Finally, Posh {a. s) is a distinguished fluent expressing 
that action a is possible to perform in situation s. A situation 
calculus theory V comprises the following sets of axioms: 

• foundational axioms of the situation calculus, E, 

• successor state axioms, V$s, 

• action precondition axioms, V ap , 

• axioms describing the initial situation, T>s n , 

• unique names for actions, V un a* 

• domain closure axioms for actions, 

Successor state axioms, originally proposed by (Reiter 
1991) to address the flame problem and extended by (e.g., 
(Lin & Reiter 1994; Mcllraith 2000)) to address the ramifi- 
cation problem, are created by making a causal interpreta- 
tion of die ramification constraints and a causal complete- 
ness assumption and compiling effect axioms of the fonn 3 : 

Pons {a. s) Ayr (*? « s *) 3 F(x, do(a , ,s) ) (1 ) 

Poss(a, s) A 7 p (*-, «» *) 3 “'Ffl. do(a. .s)) . (2) 

3 Notational convention: all formulae are universally quantified 
with maximum scope unless otherwise noted. 


and ramification (state) constraints of the form: 

v+{x,s)OF{x,s) (3) 

D ->F(x,s\ (4) 

into Intermediate Successor State Axioms of the form: 

Poss(a.s) 3 \F t (x. do{a. s)) = <bp.] where, (5) 

<&r, = 7f; <*, «> •’) V i'f, (••?, ■•>)) 

V(F(?,s) 

A -'(7F, (*> «, •’) v i.y. (.if, i lot a, . 1 )))), (6) 

I.e., if an action is possible is situation s, then it implies that 
die fluent is true in do(a , .*) iff an action made it true -or- 
a state constraint made it true -or- it was already true and 
neither an action nor a state constraint made it false. 

Such intermediate successor state axioms provide a com- 
pact representation of a solution to the ramification problem 
for a common class of state constraints. (Mcllraith 2000) 
shows that for what are essentially acyclic causal ramifi- 
cation constraints, repeated regression rewriting (e.g., (Re- 
iter 1991)) of$p.,7v* [$/?.] = repeatedly rewrites the 
r amific ation constraints that are relativized to do(a , .s) in (6) 
above, and is guaranteed to terminate in a formula whose 
fluents are relativized to situation s rather than do(a.s). 
Both die intermediate and the less compact (final) succes- 
sor state axioms which result from die regression provide 
closed-form solutions to the flame and ramification problem 
for the designated class of state constraints. 

To illustrate sensing and testing in partially observ- 
able environments, we present a partial axiomatization of 
a car repair domain, derived from The Complete Idiot's 
Guide to Trouble-Free Car Care (Ramsey 1999). Our do- 
main includes world-altering actions such as tumj>n(x) and 
turn -of fix), where x is radio or lights. These have the 
effect that the radio or lights are on/off in die resulting situ- 
ation. Actions turn(key) and released key) have the effect 
that the ignition is begin turned (turning Jgn) 9 or not, in 
the resulting situation. These actions are defined in terms 
of effect axioms and are combined with the following self- 
explanatory state constraints to produce successor state ax- 
ioms. For notational convenience we abbreviate: transmis- 
sion - travs, interlock - intrlk , solenoid - solnd, engine - 
engn, battery - haft; ignition system - ignsys, start system - 


strtsys. 

cmptyigafiJank.fi) 7 ->) itartableis) (7) 

abiintrlk.fi) 3 ->fitartableis) (8) 

ubibatt.fi) 3 -miartableifi) (9) 

ub(fiofntL fi) 3 -ifiiarlnhteifi) (10) 

abifitarier.fi) 3 ^fifar tablets) (11) 

au/oUrnn*) A ~>ingear{iranfi. *) 3 ab{inlrik. fi) (12) 
manual(l rans) A -aleprefified{clutch, fi) 3 abiintrlk.fi) (13) 
turning Jgnifi) A ab{batt , *) 3 ->noific(engn. fi) (14) 
turning Jgnis) A einptyigafiJunk.fi) 3 ->noifie{engn. *) (15) 



f timing Jgn{s) A ~^nti[aohid. #) D noijn y (*olnd. *) (16) 

abibati. j») A <m( radio . *) 3 -inoi#e( radio , *) (17) 

n/»( radio, 3 (18) 

->ab(balLn) Aon{fighU. a) 3 emit &(tight < s ) 0$) 


Space precludes listing all the successor state axioms. There 
is one (intermediate) successor state axiom for each fluent. 
E.g., axioms (7H11) compile into intermediate successor 
state axiom (20): 

Pos$(a, s) D [startaUe(do(a t s)) s 

-^cmptyiga sJta nk. do(a , s)) A -tabiintrlk. do(a. s)) 

A -i abibatt , </o(tt, ,«*)) A ^<zfc(s0f7*/.do(a, -s)) 

A -*ab(startcr. do(a. ,s))] (20) 

As described in (Mcllraith 2000), the axioms describing 
the initial situation, So contain what is known of the initial 
situation as well as the ramification constraints of the form 
of (3) and (4), relativized to Sq. 

Knowledge and the Ramification Problem 

In (Scherl & Levesque 1993), the situation calculus lan- 
guage without state constraints was extended to incor- 
porate both knowledge and sensing actions. World- 
altering actions change the state of the world, sensing ac- 
tions have no effect on the state of the world but rather 
change the agent’s state of knowledge. In our exam- 
ple, sensing actions include check -f uel* check ^ar Mart, 
check. radio jnoisc etc., which have the effect of the agent 
knowing empty (gas Jank, do(a % *)), st actable (<lo(a, s)) t and 
noise ( radio , do(a, s)). 

The notation Knows(o,s) (read as o is known in 
situation s) y where <i> arbitrary formula, is an abbre- 
viation for a formula that uses K. For example 
Knows(o7?.( block ] , block?)* s) abbreviates: 

V.s' K(fi , s) 3) onlbloek) , block ? , d). 

The notation Kwhether(<y, ,s) is an abbreviation for a for- 
mula indicating that die truth value of o is known. 

Kvrlietlier(^, s) = r Knowsia, s) V Knowsf-^. 

Following the notation of (Levesque 1996), each sense ac- 
tion a has a sensed fluent , SF(a. s) associated with it, and 
for each such a, T> entails a sensed fluent axiom: 

SF(a,s) = vi(s), (21) 

which says that performing the sense action a tells the agent 
whether die formula p(s) is true or false. Thus, T> 
Kwhether ( {$?, do(s, s)) where a is an action with a sensed 
fluent equivalent to o. 

For the sense action check-f uel the sensed fluent axiom 
is: 

SF (check .fuel, s) = empty (gas Ja nk. s) (22) 

which tells us whether or not die gas tank is empty. For 
world-altering actions, V entails SF(a , .s) = True. 

In (Scherl & Levesque 1993), a successor state axiom for 
the K fluent is developed. Its form is as follows: 

Successor State Axiom for K 
Poss(a.s) D [K(s" .do(a, s)) = 

3 s'. Pass (a. s') A K(s\s) A (s' — do(a. s')) A 
[$F(o,y)sSF(a,*)] (23) 


which says that after doing action a in situation .s, the agent 
thinks it could be in a situation s n iff .s" = do(a. s f ) and s' 
is a situation that was accessible from .% and where s and *' 
agreed on the truth value of SF(n, s ), e.g., the truth value 
of empty (gas Jank). Thus, for all situations <lo(a. s), the K 
relation will be completely determined by the K relation at $ 
and the action a. This extends Reiter’s solution to the frame 
problem (without ramifications and without knowledge) to 
the case of the situation calculus with sensing actions. 

Proposition 1 In the situation calculus theory described 
above, the agent knows the successor state axioms and the 
ramification constraints. 

This follows from the fact that die successor state axioms 
are universally quantified over all situations, and the rami- 
fication constraints explicitly hold in So and are entailed in 
all successor situations, by the successor state axioms. 

Theorem 1 (Correctness of Solution) The proposed solu- 
tion to the frame and ramification problems for world- 
altering and sensing actions ensures that knowledge only 
changes as appropriate , as defined by Theorems 1, 2, 
3 (Scherl & Levesque 1993). Furthermore , the agent knows 
the indirect effects of its sensing actions. 

Thus, the successor state axioms for world-altering and sens- 
ing actions, together address the frame and ramification 
problems. 

Testing 

The purpose of a test is to attempt to determine the truth 
value of certain properties of the world, that may or may 
not be directly observable. A test is often performed with 
respect to a set of hypotheses, with the objective of elimi- 
nating as many hypotheses as possible from the set of hy- 
potheses being entertained Testing has been studied ex- 
tensively for the specific problem of IC circuit testing, but 
there is little work on testing for rich dynamical systems 
such as the ones we examine here. The notion of a static 
test was briefly discussed in (Moore 1985, litmus example), 
and further developed for static systems in (Mcllraith 1994; 
Mcllraith & Reiter 1992). We build directly upon the work 
in (Mcllraith 1994) with the objective of developing a for- 
mal theory of testing for dynamical systems. 

Informally, a simple test comprises a set of initial con- 
ditions that may be established by the agent, together with 
the specification of a primitive sensing action, which deter- 
mines what the agent will directly come to know as the result 
of the test. In our car repair domain, we can test the battery 
by checking the radio for noise. The initial conditions for 
such a test might be on ( radio, s). Then we can perform the 
sensing action cheek j'adiojnois e to see whether the radio is 
emitting noise. Note that the precondition for petforming 
the action check jrtMliojnoi sc , Poss(che ckjradiomoi sc, s) ~ 
i n side (car, s), is different from the initial conditions of the 
test. Both must hold and must be consistent with the theory 
and with the current hypotheses being entertained, in order 
to execute the test. 

We distinguish between two types of tests, truth tests 
which tell us whether the properties being sensed are true in 


the physical world, and junctional tests , which tell us what 
values of the properties are true in the physical world. For 
the purposes of this paper, we restrict our attention to truth 
tests, and our sensing actions to so-called binary sense ac- 
tions which establish the truth or falsity of a sensed formula. 

Definition 1 (Simple Test) 

A simple test is a pair, (I, a), where I, the initial conditions , 
is a conjunction of literals, and a is a binary sense action 
whose sensed formula contains no free variables. 

(oniradio, s), check j'adiojnoisc) is an example of a simple 
test, following the discussion above. We now define the no- 
tion of a test for a particular hypothesis space, represented 
by the set HYP. We restrict the hypotheses, His) £ HYP 
to be conjunctions of fluents whose non-situation terms are 
constants, and whose situation term is a situation variable s. 
In our car repair domain, an example hypothesis space might 
be {ab(batt, s ) , ah(soliul, ,s). cmptyigasJank, .s)}. 

Definition 2 (Test for Hypothesis Space HYP) 

A test (/, a) is a test for hypothesis space HYP in situation 
s iffV AlAPofss{a , s)aH(s) is satisfiable for every H(s) £ 
HYP . 

That is, the state the world must be in to execute 
the sensing action must be satisfiable, under the as- 
sumption that any one of the hypotheses in die hypoth- 
esis space could be true. Consider that V entails the 
safety constraint -exploswn(s) and the axiom sparks(s) A 
gasJcak(s) 3 explosion(s\ and that our hypothesis space 
is {gasJeak(s),ab(sparkj)lug, s)}. A reasonable test for 
ab( spark-plug, s) is to try to create sparks at die plug. Unfor- 
tunately such a test would cause an explosion in die presence 
of a gas leak. The satisfiability check above precludes such 
a test. 

Definition 3 (Confirmation, Refutation) 

The outcome a of the test {La) confirms H(s) 6 HYP 
iff V A 1 A Poss(a , s) A H(s) is satisfiable and T> A I A 
Poss(a. s) \= Knows(i7 D a.s). a refutes H(s) iffV A 
I A Poss (a. s)aH(s) is satisfiable and V A 7 A Post (a. s) |= 
Knows (H D -««, s). 

If the outcome of test (on (radio, s), check -radio jnoisc) is 
noise {radio, do(a. *)), then our test refutes die hypothesis 
abibatt . ,s), following Axiom (17), and we can eliminate 
abilMitt, s) from our hypothesis space, HYP . 

Observe that a test outcome that refutes an hypothesis 
H(s) allows us to eliminate it from HYP. Unfortunately, a 
test outcome that confirms an hypothesis is generally of no 
deterministic value, resulting in no reduction in the space of 
hypotheses. As we will see in a section to follow, there are 
exceptions that depend on the criteria by which die hypoth- 
esis space is defined. 

In the sections to follow we use these basic definitions 
to define discriminating tests and relevant tests. These tests 
are distinguished by the effect their outcome will have on a 
general space of hypotheses. 

Discriminating Tests 

Notice that in our example above, if we had observed 
^iwisciradio, do(a, s)), then by die definition, this would 


have confirmed the hypothesis abibatt, s), but it would have 
been of little value in discriminating our hypothesis space. 
All hypotheses remain in contention. Discriminating tests 
are those tests (7, a) that are guaranteed to discriminate an 
hypothesis space 77YP, i.e., which will refute at least one 
hypothesis in HYP, regardless of the test outcome. 
Definition 4 (Discriminating Tests) 

A test (L a) is a discriminating test for the hypothesis space 
HYP iffV A 7 A Poss(a , .s) A H(s) is satisfiable for all 
H(s) e HYP, and there exists Hi(s), Hj(s) € HYP 
such that the outcome a of test (7, a) refutes either Hj{s) 
or Hj (s), no matter what that outcome might be. 

Proposition 2 

After we perform a discriminating test, (L a), 
Knows(-i77j , $), for some Hj (*) € HYP. 

In general, we would like a discriminating test to reftrte 
half of the hypotheses in the hypothesis space, regardless of 
the test outcome. By definition, a discriminating test must 
refute at least one hypothesis in the hypothesis space. 

Definition 5 (Minimal Discriminating Tests) 

A discriminating test (7. a) for the hypothesis space HYP 
is minimal iff for no proper subconjunct V of I is (7 / .a) a 
discriminating test for HYP. 

Minimal discriminating tests preclude unnecessary initial 
conditions for a test. 

In some cases, we are interested in identifying a test that 
will establish the truth or falsity of a particular hypothesis. 
An individual discriminating test does precisely this. 

Definition 6 (Individual Discriminating Tests) 

A test (7, a) is an individual discriminating test for the hy- 
potheses Hi(s) and ->Hi(s) € HYP iffVAlAPoss(a, s)A 
H{s) is satisfiable for all H(s) £ HYP and the outcome a 
of test (I. a) refutes either Hi(s) or -<Hi(s), no matter what 
that outcome might be. 

Proposition 3 

After we perform an individual discriminating test (La), 
Kwhether(ifi. s) for some Hi € HYP. 

The test ({}, check -f uel) is such a test. The out- 
come will be one of -*empty(gasJank, do(a, .s)) or 
cmptyigasJank, do(a,s)). Thus, as the result of per- 
forming check-fuel in the physical world, the agent 
KwhetixtTicmpt y(ga*Jank, s)). 

We can similarly define the notion of a minimal individual 
discriminating test, and a minimal relevant test, below. 

Relevant Tests 

In the majority of cases we will not be so fortunate as to 
have discriminating tests. Relevant tests are those tests 
(7. a) that have the potential to discriminate an hypoth- 
esis space HYP , but which cannot be guaranteed to do 
so. Given a particular outcome cv, a relevant test may re- 
fute a subset of the hypotheses in the hypothesis space 
HYP, but may not refute any hypotheses if is ob- 
served Since we can’t guarantee the outcome of a test, 
these tests are not guaranteed to discriminate an hypothe- 
sis space. (oniradio, .<*). check j'OAliojnoise ) is an example of 
such a test. 



Definition 7 (Relevant Tests) 

A test {La) is a relevant test for the hypothesis space 
HYP iffV A / A Poss(a , s) A iff*) is satisfiable for all 
H {.<t)inHY P, and the outcome a of test (L a) either con- 
firms a subset of the hypotheses in HYP or refutes a subset. 

By definition, a relevant test confirms or refutes at least 
one hypothesis in HYP, and it follows that every discrimi- 
nating test is a relevant test. 

In addition to discriminating and relevant tests, there is 
a third class of tests. Constraining tests do not refute an 
hypothesis, regardless of the outcome, but they do provide 
further knowledge drat is relevant to the hypothesis space 
and which the agent can exploit in combination with other 
tests. We discuss this notion in a longer paper. 

Testing Hypotheses 

In the previous section we observed that a test outcome that 
refutes an hypothesis H{s) e HYP allows us to eliminate 
it from HYP, but that in general an outcome that confirms 
H{s) has no value in reducing die hypothesis space. In this 
section, following (Mcllraith 1994), we show that when the 
hypothesis space is determined using a consistency-based 
criterion this is indeed true, but when the hypothesis space is 
defined abductively, confirming test outcomes serve to elim- 
inate those hypotheses that are not confirmed, i.e., that do 
not explain, the test outcome. 

Definition 8 (Consistency-Based Hypothesis Space) 

A consistency-based hypothesis for V and outcome o of 
the test {I, a) is any H (a) € HYP such that V A / A 
Poss(a , s) A H(s) Act is satisfiable . 

Proposition 4 (Eliminating C-B Hypotheses) 

The outcome a of a test {L a) eliminates those consistency- 
based hypotheses , H{s) € HYP that are refuted by test 
outcome rv. 

Definition 9 (Abductive Hypothesis Space) 

An abductive hypothesis for V and outcome a of the test 
(/. a) is any H{s) € HYP such that V A / A Poss{a , .$) A 
H(s) is satisfiable, and V A I A Poss{a , .s) A H(s) f= a. 

Proposition 5 (Eliminating Abductive Hypotheses) 

The outcome a of a test (L a) eliminates those abductive 
hypotheses, H(s) e HYP that are not confirmed by test 
outcome a. 

Thus, in the case of abductive hypotheses, unlike 
consistency-based hypotheses, both confirming and refuting 
test outcomes have die potential to eliminate hypotheses. 

Proposition 6 (Efficacy of Tests) 

Any outcome o of a relevant test (I.a) can eliminate abduc- 
tive hypotheses, whereas only a refuting outcome can elimi- 
nate consistency-based hypotheses . Discriminatory test out- 
comes, by definition, can eliminate either consistency-based 
or abductive hypotheses, regardless of the outcome . 

Complex Tests 

In the previous section, we defined the notion of a simple 
test (/. a), and characterized the circumstances under which 


the outcome of such a test would discriminate an hypoth- 
esis space. Indeed, to discriminate an hypothesis space, we 
may need a sequence of simple tests, interleaved with world- 
altering actions in order to achieve the initial conditions for 
a test. Likewise, the selection and sequencing of sensing 
and world-altering actions may be conditioned on the out- 
come of previous sensing actions. In the section to follow, 
we examine the problem of generating tests using regres- 
sion. As we will see, generating tests, especially tests that 
involve sequences of sensing and world-altering actions is 
hard. In many instances, we need not resort to computation. 
The domain axiomatizer can articulate procedures for testing 
aspects of a system, just as the author of The Idiot's Guide 
has done in the domain of car repair. The logic programming 
language, Golog (alGOl in LOGic) (Levesque et al 1997) 
provides a compelling language for specifying such tests, as 
we describe briefly here. 

Only a sketch of Golog is given here. See (Levesque et al. 
1997) for a full discussion of the language and also a Prolog 
interpreter. Golog provides a set of extralogical constructs 
(such as action sequencing, if-then-else, while loops) for as- 
sembling primitive actions, defined in the situation calculus, 
into macros that can be viewed as complex actions. The 
macros are defined through the predicate Do{6, s, .s') where 
t) is a complex action expression. Do{ <\ s, s') is intended to 
mean that the agent’s doing action <) in situation s leads to 
a (not necessarily unique) situation s'. The inductive defini- 
tion of Do includes the following cases: 

Do(a. s. s') — simple actions 

Do(6?, s. s) — tests (referred to as G-tests in this paper) 
Do( [S i ; S- 2 ] , s, s ) — sequences 
Do( [S] s. s') — nondeterministic choice of actions 

Do{(Th:)S. s. s') — nondetenninistic choice of parameters 
DoiiS <p then S\ else S>, s, s')- conditionals, where we 

restrict o toaG-test 
DofwhUe <p do<L,s.s') — while loops 

Space does not permit giving file lull expansion far each 
of the constructs, but they can be found in (Levesque et al. 
1997). The only change here is that the definition of the G- 
test construct (including the implicit G-test in file condition 
construct) must expand into a G-test involving knowledge 4 . 

The following is a partial example of a complex test writ- 
ten in Golog, and derived from (Ramsey 1999). This par- 
ticular procedure is designed to help discriminate the space 
of hypotheses generated when a car won’t start, namely 
{ab(intrlk, s), empt y ( gas J ark. ,s). ab(batt, ,s), ab(solrul , s). 
ab(igji .wires,*), ab{ starter,*)}. In a diagnostic application 
such as this one, Golog procedures may also be written to 
combine testing with repair. 

proc CarWontStart 
I f (-i startable) then checkInterlock; 

4 We are taking the simplest approach towards incorporating 
sensing actions into Golog. All actions are on-line. In other words, 
they are executed immediately without any possibility of back- 
tracking. Other options for completely off-line execution (Lake- 
meyer 1999) and a mixture of off-line and on-line execution (De 
Giacomo & Levesque 1999a) have been discussed in the literature. 


if (— . AB(lNTRLK)) then CHECK JGAS_TANK; 
if (-< empty(gas.tank)) then checkBattery; 
if (-> ab(batt)) then checkSolenoid; 
if (-» ab(solnd)) then checkIgn Wires; 
if (-h ab(ign_wires)) then checkStarter; 
if (-1 ab(starter)) then checkEngine 
end if end if end if end if end if end if end if 
endProc 

proc CheckBattery 
turn^on(radio); check_radio_noise; 

if (-. NOISE(RADIO)) 

then turnjon(lights); check_lights 

end if 
endProc 

Observe that complex tests often invoive world-altering 
actions which serve to establish the preconditions and initial 
conditions for embedded simple tests. Also observe that in 
achieving the preconditions or initial conditions for simple 
tests, these actions change the state of die world, including 
potentially changing the space of hypotheses. For exam- 
ple, if a flashlight isn’t emitting light, and one hypothesis 
is that the batteries are dead, a good way to test them is to 
replace them with fresh batteries, and see whether the flash- 
light then works. However, replacing the flashlight batteries 
potentially changes the state of one of the hypotheses. 

In diagnosis domains, such as the ones above, it is of- 
ten desirable to combine fault detection (hypothesis testing) 
with repair and to take actions to eradicate faults as easily as 
to diagnose them (Mcllraith 1997; Baral, Mcllraith, & Tran 
2000). However, in cases where it is desirable not to alter 
the truth status of the hypothesis space, care must be taken 
to design and verify and/or generate tests that maintain des- 
ignated knowledge constraints and world constraints. E.g., 
we don’t want to determine whether the gas tank is empty 
by draining it! 


involve ensuring that for at least one H, Knows(->XL s) 
holds in the final situation, i.e., V/^m r Knows(->/f. s). 

In (Scherl & Levesque 1 993), a form of regression (based 
on the discussion in (Reiter 1991)) is developed for the sit- 
uation calculus with sensing actions. Through the appli- 
cation of regression, reasoning about situations reduces to 
reasoning in the initial situation, So* Given a ground sit- 
uation term (i.e. a term built on So with the function do 
and ground action terms) the problem is to determine 
whether the axiomatization of the domain V entails G(s gr ) 
where G (the intended objective of the procedure) is an arbi- 
trary sentence including knowledge operators. This question 
is reduced to the question of whether or not the axiomatiza- 
tion of the initial situation entails the regression of G(s gr ), 

i. e.,ft(G'( Agr))- Since the result of regression is a formula in 
an ordinary modal logic of knowledge (i.e. a formula with- 
out action terms and where die only situation term is So) an 
ordinary modal theorem proving method may be used to de- 
termine whether or not the regressed formula is entailed by 
the axiomatization of the initial situation, V.%. In our case 
G will be a formula made up of subformulae of the form 
Kwhether(/L a) or Knows (-iff. a), where H is an hy- 
pothesis. 

The regression operator ft is defined relative to a set of 
successor state axioms XL*- The first four parts of the defi- 
nition of the regression operator 5 , ft concern world-altering 
actions and are taken from (Reiter 2000). 

L When W is a non-fluent atom, including equality atoms, and 
atoms with the predicate symbol Poss, or when IT’ is a fluent 
atom or Knows operator, whose situation argument is the situa- 
tion constant So, ft [II I = U\ 

ii. When F is a relational fluent (other than K) atom whose suc- 
cessor state axiom in />«?.$ is 

, Possia , s) D [F(x \ ..... , do(a. a)) = # r] 


Automated Reasoning About Tests 

In the previous section we introduced the notion of a com- 
plex test, demonstrating that such tests could sometimes be 
specified in Golog. In this final technical section we briefly 
examine the use of automated reasoning techniques, and in 
particular the use of regression rewriting, for the purpose 
of verifying certain properties of Golog-specified complex 
tests, and for generating complex tests as conditional plans. 
Our presentation draws upon (Lesperance 1994) and (Re- 
iter 2000). Other related approaches to conditional plan- 
ning include (Rosenschein 1981 ; Manna & Waldinger 1987; 
Lobo 1998). 

Consider the Golog complex test given above to help dis- 
criminate the space of hypotheses generated when a car 
won’t start. To verify that it is an individual discriminat- 
ing test, it is necessary to ensure that for at least one of the 
hypotheses H , Kwhether(fiL a) holds, where a is the sit- 
uation resulting from the execution of the Golog procedure, 
i.e. Do(CarWontStart,5o,a). Thus, we would like to 
be able to entail Vw<=//y r Kwhether(/L a), and in par- 
ticular K whet her(emply(gaAjank), a), for example. A 
verification that the procedure is a discriminating test would 


ft[F(f,, ... 


= if;:.: 


.a.* 


lit Whenever IT ’ is a formula. 


iIT'1 = -ft[IT'] ; 
(Vv)\V] = <Vi.)ft[tr], 
‘(3t OIL,] = (3t,.)ft[iri]. 


iv. Whenever W\ and \V 2 are formulas, 
ft[ILi A II 2] = ftflT'i] A ft|UU 
ftpT’i v ii 2] = ftpr,] v ft.[ir, l 
ftir. Dir 2 ] = ft[ir,]Dft.[ir,] 


Following (Scherl & Levesque 1993), additional steps are 
needed to extend the regression operatorto sensing actions 6 . 
Two definitions are needed for the specification to follow. 
When ^ is an arbitrary sentence and $ a situation term, then 
V?[s] is the sentence that results from adding an extra argu- 
ment to every fluent of ■•+> and inserting a into that argument 

5 Some details are omitted here (e.g, regression of functional 
fluents, and the equality predicate). Also note that the formula to 
be regressed must be regressable. This concept is fully defined in 
(Reiter 2000). 

6 Regression of sensing actions that make known the denotation 
of a term (e.g. an action of reading a number on a piece of paper) 
is not discussed here. 



position. The reverse operation 1 is the result of remov- 
ing the last argument position from all the fluents in p. 

Step v covers the case of regressing a world-altering ac- 
tion through the Knows operator. Step vi covers the cases of 
regressing a sensing action through the Knows operator. In 
the definitions below, a' is a new situation variable. 

v. Whenever a is not a sensing action, 

7? [Know* (IF, <to(o.. a))] = 

Knows ((ft[IF[<fo(a, a')]])~ 1 , a). 

vt Whenever a is a sensing action, where is a formula 
such that Z> entails that V’M 15 equivalent to SF(a,n ), 
77[Knows(TF.</o(a, a))] = 

(Its (a) 3 Knowi(r» t 3 ft[lF[do(a, a')]] ‘.a)) A 
3 Kitows(-»r\ 3 7l[W[d<Aa. V)]]~\.*» 

An additional operator C needs to be defined to handle 
the expansion of me complex actions found in Golog, so 
that we can apply regression 7 . We are only considering a 
subset of Golog programs - those composed of simple ac- 
tions, sequencing, and conditionals. We also add the empty 
action noOp or [j (names for the same operation). Also note 
that 7r a (i\ s) stands for the preconditions of a(:r) as speci- 
fied in the action precondition axiom, V ap , Po*a («(£), s) = 

vtU. CfnoOp, IF, s) = «••(,) 

lx. (J([u(iO; IF, a) = n a (x : a) A C(6, IF, do(a(x), a)) where 
a(.r) is a ground non-sensing simple action term. 

X. F([if <p (.tT) then S j else S - i ], IF, a) = 

K whet her ( o(.?). a) A 
[Knows(^(/) r ?) 3 , IF, a)] A 

[Knows! -v>(£). .$) 3 C(Si, IF, a)] 

We are assuming that the agent is able 8 to execute the Golog 
test procedure. In particular, the programmer (of the test 
procedure) must have ensured that at the point where an 
[if (-) (?) then 6 \ else A- 2 ] statement is encountered, the ex- 
ecuting agent must K whet her (o, a). If not, the procedure 
will Ml. 

In the following theorem (a generalization of Theorem 2 
from (Lesperance 1994), recall Tv* ( p) indicates the repeated 
regression of p until further applications leave the formula 
unchanged. 

Theorem 2 For any Golog procedure 6, consisting of sim- 
ple actions , sequences , and conditionals , and G an arbitrary 
closed regressable formula that may include knowledge op- 
erators: 

T>£= 3s(Do(6.Soi s) A (7(a)) iff 

x>A 0 u x >„„ 0 >= nr ids, g, s*)) 

Theorem 2 shows it may be verified that any Golog testing 
routine (utilizing concatenation and conditionals) achieves 
its intended objective G through the use of regression fol- 
lowed by theorem proving in the initial database. The suc- 
cessor state axioms (!>,,) are only used in the regression 
procedure. This theorem can be extended to likewise verify 
other properties of our Golog procedures. 

7 The C operator introduced here is based on (but generalizes) 
the E operator of (Lesperance 1994). 

8 See (Lesperance et al 2000) for a discussion of ability and 
Golog programs. Related issues are discussed in (Lesperance 1994; 
Lakemeyer 1999). 


We can use the above regression operator as the basis 
for a simple conditional planning algorithm for constructing 
complex tests. Following (Lesperance 1994), we consider 
only normal form conditional plans. These are conditional 
plans in which the condition in a conditional (e.g. the e> in 
[if O (/) then rfi else rfo]) must be a sensed formula. Thus 
we can require that prior to any conditional with the G-test 
o, there must be an action a such that a is a sensing action 
and V (= SF(a, a) = c>(a). This guarantees that the pro- 
gram executing the test will always Kwhether(o, a) when 
a conditional is encountered. For any complex test (that is 
executable) consisting only of concatenation and condition- 
als, there must be an equivalent test in this normal form. 

For i = 1, 2, 3 . . . , we can define the sentences Ti as: 

r 0 =G(») 
r /'= r 

3a([3.r (a = .1, (j*) A , (.r) V ... 

V 3? (a ;= A„{£) A -4 fJ (iO)] 

a ft(r,_i(,/o(«,A))}) v 

3a([3.r (a = - A x A * (x) A (SF{a. a) ~ A 

71(0 \ (J?, do(a. a)) 3 I\_ i (do(a. a))) A 
72(^o,(.r./fo(a.*)) 3 h-i (do(a. a)))] 

A... A 

3a([3£(a - . At r A * t (/) A (SF(a, a) = <$,*(*)) A 

7 (*, do(a, a)) 3 r,_ 1 (do(a, s))) A 
7l(^o m (.f. <io(a , a)) 3 IV 1 (f tola, a)))] 

Each T, is true if there is a plan of length i starting in a 
and leading to a state satisfying G (Reiter 1995; Lesperance 
1994). The following theorem (essentially Theorem 3 of 
(Lesperance 1994)) establishes the soundness and complete- 
ness of the regression-based test planning method. 

Theorem 3 For Golog procedure 6 in normal form and G, 
an arbitrary closed regressable formula that may include 
knowledge operators: 

V [= 3s(Do(H. So, a) A (7(a)) iff for some n 
T>s n UT>„„ a (= To(5 0 ) V ... V r„(S 0 ) 

This regression-based finite horizon method of generating 
and evaluating all normal form conditional plans of greater 
and greater size is certainly not designed for efficiency, but 
the results can serve as the foundation for building more 
efficient regression-based complex-test planning methods, 
much as similar results have served as the foundation for 
relatively more efficient regression based planning methods 
(McDermott 1991 ; Lesperance 1994; Rosenschein 1981). In 
future work we will evaluate the extension of current state 
of the ait planning techniques based on SAT and Graphplan, 
to address the planning problems raised in this paper (Weld 
1999). 

Summary 

In this paper we presented results towards a formal theory 
of testing for dynamical systems, specified in the language 
of the situation calculus. Our first contribution was to ad- 
dress the ramification problem for sensing actions. We then 
defined the notion of a test, examining how a test can be 
designed and how die outcome of different types of tests af- 
fect an agent’s state of knowledge. The realization of many 



tests in the world requires a complex sequencing of world- 
altering and sensing actions, whose selection and ordering is 
conditioned upon the outcome of previous sensing actions. 
We proposed specifying such complex tests in the logic pro- 
gramming language Golog. We then demonstrated that re- 
gression could be used both to verify the desired objective 
of such complex tests, and to generate tests as conditional 
plans under certain restrictions. 

Sensing is integral to die operation of most autonomous 
agents. The notion of complex and simple tests introduced 
here extends the body of theoretical work on sensing in dy- 
namical systems, and has practical relevance for building 
agents for diagnostic problem solving, plan understanding, 
or simply for mobile cognitive agents that need to interact in 
complex environments with limited sensing. 
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